Virtually no foreign government is off-limits for the National Security Agency, which has been authorized to intercept information “concerning” all but four countries, according to top-secret documents.
The United States has long had broad no-spying arrangements with those four countries — Britain, Canada, Australia and New Zealand — in a group known collectively with the United States as the Five Eyes. But a classified 2010 legal certification and other documents indicate the NSA has been given a far more elastic authority than previously known, one that allows it to intercept through U.S. companies not just the communications of its overseas targets but any communications about its targets as well.
The certification — approved by the Foreign Intelligence Surveillance Court and included among a set of documents leaked by former NSA contractor Edward Snowden — lists 193 countries that would be of valid interest for U.S. intelligence. The certification also permitted the agency to gather intelligence about entities including the World Bank, the International Monetary Fund, the European Union and the International Atomic Energy Agency.
The NSA is not necessarily targeting all the countries or organizations identified in the certification, the affidavits and an accompanying exhibit; it has only been given authority to do so. Still, the privacy implications are far-reaching, civil liberties advocates say, because of the wide spectrum of people who might be engaged in communication about foreign governments and entities and whose communications might be of interest to the United States.
“These documents show both the potential scope of the government’s surveillance activities and the exceedingly modest role the court plays in overseeing them,” said Jameel Jaffer, deputy legal director for the American Civil Liberties Union, who had the documents described to him.
NSA officials, who declined to comment on the certification or acknowledge its authenticity, stressed the constraints placed on foreign intelligence-gathering. The collection must relate to a foreign intelligence requirement — there are thousands — set for the intelligence agencies by the president, the director of national intelligence and various departments through the National Intelligence Priorities Framework.
Furthermore, former government officials said, it is prudent for the certification to list every country — even those whose affairs do not seem to immediately bear on U.S. national security interests or foreign policy.
“It’s not impossible to imagine a humanitarian crisis in a country that’s friendly to the United States, where the military might be expected on a moment’s notice to go in and evacuate all Americans,” said a former senior defense official who spoke on the condition of anonymity to discuss sensitive matters. “If that certification did not list the country,” the NSA could not gather intelligence under the law, the former official said.
The documents shed light on a little-understood process that is central to one of the NSA’s most significant surveillance programs: collection of the e-mails and phone calls of foreign targets under Section 702 of the 2008 FISA Amendments Act.
The foreign-government certification, signed by the attorney general and the director of national intelligence, is one of three approved annually by the Foreign Intelligence Surveillance Court, pursuant to the law. The other two relate to counterterrorism and counterproliferation, according to the documents and former officials.
Under the Section 702 program, the surveillance court also approves rules for surveillance targeting and for protecting Americans’ privacy. The certifications, together with the National Intelligence Priorities Framework, serve as the basis for targeting a person or an entity.
The documents underscore the remarkable breadth of potential “foreign intelligence” collection. Though the FISA Amendments Act grew out of an effort to place under statute a surveillance program devoted to countering terrorism, the result was a program far broader in scope.
An affidavit in support of the 2010 foreign-government certification said the NSA believes that foreigners who will be targeted for collection “possess, are expected to receive and/or are likely to communicate foreign intelligence information concerning these foreign powers.”
That language could allow for surveillance of academics, journalists and human rights researchers. A Swiss academic who has information on the German government’s position in the run-up to an international trade negotiation, for instance, could be targeted if the government has determined there is a foreign-
intelligence need for that information. If a U.S. college professor e-mails the Swiss professor’s e-mail address or phone number to a colleague, the American’s e-mail could be collected as well, under the program’s court-approved rules.
Even the no-spy agreements with the Five Eye countries have exceptions. The agency’s principal targeting system automatically filters out phone calls from Britain, Canada, Australia and New Zealand. But it does not do so for their 28 sovereign territories, such as the British Virgin Islands. An NSA policy bulletin distributed in April 2013 said filtering out those country codes would slow the system down.
“Intelligence requirements, whether satisfied through human sources or electronic surveillance, involve information that may touch on almost every foreign country,” said Timothy Edgar, former privacy officer at the Office of the Director of National Intelligence and now a visiting fellow at Brown University’s Watson Institute for International Affairs.
Those efforts could include surveillance of all manner of foreign intelligence targets — anything from learning about Russian anti-submarine warfare to Chinese efforts to hack into American companies, Edgar said. “It’s unlikely the NSA would target academics, journalists or human rights researchers if there was any other way of getting information,” he said.
A spokeswoman for the NSA, Vanee Vines, said the agency may only target foreigners “reasonably believed to be outside the United States.”
Vines noted that in January, President Obama issued a policy directive stating that U.S. surveillance “shall be as tailored as feasible.” He also directed that the United States no longer spy on dozens of foreign heads of state and that sensitive targeting decisions be subject to high-level review.
“In short, there must be a particular intelligence need, policy approval and legal authorization for U.S. signals intelligence activities, including activities conducted pursuant to Section 702,” Vines said.
On Friday, the Office of the Director of National Intelligence released a transparency report stating that in 2013 the government targeted nearly 90,000 foreign individuals or organizations for foreign surveillance under the program. Some tech-
industry lawyers say the number is relatively low, considering that several billion people use U.S. e-mail services.
Still, some lawmakers are concerned that the potential for intrusions on Americans’ privacy has grown under the 2008 law because the government is intercepting not just communications of its targets but communications about its targets as well. The expansiveness of the foreign-powers certification increases that concern.
In a 2011 FISA court opinion, a judge using an NSA-provided sample estimated that the agency could be collecting as many as 46,000 wholly domestic e-mails a year that mentioned a particular target’s e-mail address or phone number, in what is referred to as “about” collection.
“When Congress passed Section 702 back in 2008, most members of Congress had no idea that the government was collecting Americans’ communications simply because they contained a particular individual’s contact information,” Sen. Ron Wyden (D-Ore.), who has co-sponsored legislation to narrow “about” collection authority, said in an e-mail to The Washington Post. “If ‘about the target’ collection were limited to genuine national security threats, there would be very little privacy impact. In fact, this collection is much broader than that, and it is scooping up huge amounts of Americans’ wholly domestic communications.”
Government officials argue that the wholly domestic e-mails represent a tiny fraction — far less than 1 percent — of the volume collected. They point to court-
imposed rules to protect the privacy of U.S. persons whose communications are picked up in error or because they are in contact with foreign targets.
In general, if Americans’ identities are not central to the import of a communication, they must be masked before being shared with another agency. Communications collected from companies that operate high-volume cables — instead of directly from technology firms such as Yahoo or Google — are kept for two years instead of five. Some of the most sensitive ones are segregated and may not be used without written permission from the NSA director.
Privacy advocates say the rules are riddled with exceptions. They point out that wholly domestic communications may be kept and shared if they contain significant foreign intelligence, a term that is defined broadly, or evidence of a crime. They also note that the rules allow NSA access to certain attorney-client communications, pending review by the agency’s general counsel.
Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, expressed concern about the prospect of capturing e-mails and phone calls of law-abiding foreigners. “The breadth of the certification suggests that the court is authorizing the government to spy on average foreigners and doesn’t exercise much if any control beyond that,” she said.
Some former officials say that the court’s role has been appropriately limited when it comes to foreign targeting decisions, which traditionally have been the purview of the executive branch. The court generally has focused on ensuring that domestic surveillance is targeted at foreign spies or agents of a foreign power.
“Remember, the FISA court is not there to protect the privacy interests of foreign people,” the former defense official said. “That’s not its purpose, however noble the cause might be. Its purpose is to protect the privacy interests of persons guaranteed those protections under the Constitution.”
The only reason the court has oversight of the NSA program is that Congress in 2008 gave the government a new authority to gather intelligence from U.S. companies that own the Internet cables running through the United States, former officials noted.
Edgar, the former privacy officer at the Office of the Director of National Intelligence, said ultimately he believes the authority should be narrowed. “There are valid privacy concerns with leaving these collection decisions entirely in the executive branch,” he said. “There shouldn’t be broad collection, using this authority, of foreign government information without any meaningful judicial role that defines the limits of what can be collected.”